1

States Confront the Cyber Challenge

Memo on State Cybersecurity Strategies

General Overview

This memo provides an overview of state cybersecurity strategies, as well as information

technology and homeland security strategies with cybersecurity components. Possessing and

implementing a cybersecurity strategy is critical for the state and assists in garnering more

resources.1 Through this overview, NGA has identified a number of best practices for states

considering developing a statewide cybersecurity strategy.2 Among the 22 plans identified in

18 states, 14 are IT strategic plans, six are cybersecurity strategic plans, and two are homeland

security strategic plans. The IT and homeland security agencies’ strategic plans tend to limit

their scope to primarily protecting the state’s IT ecosystem and critical infrastructure,

respectively. The statewide cybersecurity strategic plans, however, detail specific objectives to

achieve a wide range of goals.

Nonetheless, there were recurring goals throughout all the plans: protecting state’s IT

infrastructure and data; developing and exercising a cyber response plan to protect critical

infrastructure; training employees on cyber hygiene; improving the cybersecurity workforce

talent pool; creating a governance structure and metrics; and creating partnerships. The

following section highlights states with innovative goals and objectives within these areas.

Best Practices

Model plans identify protecting IT infrastructure as a key goal, and, for most states, the first

step to achieving this is to move from a compliance-based approach to a risk-based approach.

The benefit of a risk-based approach is that a state tailors their priorities to the vulnerabilities

of their most critical assets, while a compliance-based approach focuses on “checking-off” a

list of actions a state should do, regardless of their needs. Furthermore, conducting risk

assessments to identify strengths and weaknesses assists in creating a comprehensive

cybersecurity strategy. Iowa, for example, plans on creating an operational plan, timeline, and

budget that addresses gaps and prioritizes remediation once they measure their cyber risk.

Another state, whose strategy is not public, uses scorecards to measure the maturity of security

controls within state agencies and their risk to threats.

Risk assessments can also inform cyber incident and disruption plans by identifying vulnerable

systems and supplying information needed to prioritize response efforts. Creating, formalizing,

and improving these response plans are goals or objectives in 12 states, and Wisconsin

dedicated an entire strategic plan to creating a cyber disruption plan. Maryland’s homeland

security strategy details several objectives to establishing a disruption plan, such as

1 Deloitte and the National Association of State Chief Information Officers. “2016 Deloitte-NASCIO

Cybersecurity Study.” http://www.nascio.org/Portals/0/Publications/Documents/2016/2016-Deloitte-

NASCIO-Cybersecurity-Study.pdf 2 All plans were collected in September 2016.

2

coordinating state agencies’ network protection plans to meet a minimum standard, and

inventorying public and private infrastructure to produce a system for securing targets of

interest.

One of the top priorities among state chief information security officers is to train and raise

awareness among state employees who lack basic cyber hygiene and are susceptible to

malicious cyber activity.3 Therefore, states should consider integrating employee cyber hygiene

training into their plan to further mitigate cyber risks. For example, Iowa’s plan requires

cybersecurity awareness training for all state employees and to measure the effectiveness of

the training. Similarly, several states are keenly aware of the cybersecurity workforce deficit

and recognize the need to groom the future cybersecurity workforce. For instance, Michigan

plans to promote cybersecurity careers to high school students, encourage the improvement of

cybersecurity occupational certification programs, and work with academia and private sector

partners to determine new workforce requirements.

To coordinate these goals, a few states have recognized a need to create a governance structure.

Florida, for example, intends on establishing a cybersecurity governance structure and using

working groups to create the state’s cybersecurity framework and to inventory their current

enterprise architecture. Some states have taken an informal approach to measuring their

cybersecurity strategy, such as establishing metrics and creating accreditation programs for

software purchases across state agencies. Lastly, these plans seek to promote partnerships with

other public, private, and federal entities. West Virginia’s plan is notable in that it calls on the

state to provide cybersecurity awareness training to local governments.

Conclusion

A risk-based strategy that identifies a state’s current threats, vulnerabilities, and capacity to

defend prized assets provides a governor with the information he or she needs to enact measures

that protect the state from cyber threats. Additionally, a strategy with metrics and methods of

evaluation ensures that a strategy’s objectives are achieving their stated goals. As a result, a

governor could prioritize and justify cybersecurity investments in key areas based on validated

metrics. Lastly, enlisting metrics ensures that a strategic plan is a living document that can be

updated as needed.

The following pages highlight the 22 plans’ goals and objectives. Please see “6 Steps to a

Cyber Strategy” for a template process on creating a cybersecurity strategic plan.

Please e-mail Michael Garcia, Policy Analyst, Homeland Security and Public Safety Division,

NGA at: mgarcia@nga.org with any questions.

3 Deloitte and the National Association of State Chief Information Officers. “2016 Deloitte-NASCIO

Cybersecurity Study.” http://www.nascio.org/Portals/0/Publications/Documents/2016/2016-Deloitte-

NASCIO-Cybersecurity-Study.pdf

3

Strategic Plans

CA, Information Technology Strategic Plan, 2016 (5 Objectives, 18 Strategies)

• Protect sensitive data through robust security and privacy programs

o Implement and monitor compliance with security and privacy policies, standards,

and practices.

o Provide accountability where compliance failure has exposed sensitive data to

avoidable risk

o Raise awareness of information security risks and educate and train state

technology users.

o Implement next-generation security tools.

• Ensure the state’s technology and public safety communication infrastructures have robust

and reliable disaster recovery capabilities to support the continuity of government services

• Improve how California uses public data and information by encouraging and enabling

shared capabilities, promoting transparency, and increasing the availability of relevant,

accurate, and useful data to constituents and to public sector entities

o Use data management and collaboration tools to increase the ease of data analysis

to leverage better value from the data collected by departments.

o Collect and share lessons learned from state agencies.

• Ensure California’s IT workforce has the knowledge and skills to support the state’s

technology infrastructure and implement its technology vision

o Attract a skilled workforce by analyzing and evaluating current and future

technology skillset needs, and implement outreach, recruitment, and knowledge

transfer strategies.

o Partner with the department of human resources to modernize IT classifications,

recruitment, and hiring.

o Maintain a skilled workforce by developing the capabilities of employees to fill

leadership positions and other key critical positions requiring specialized

knowledge.

o Expand educational opportunities to develop core competencies of employees in

IT functional areas such as cyber security, service desk management, software

development, infrastructure, and project management.

o Grow the project academy series to build out full day training offerings to educate

IT project teams, project sponsors, and stakeholders on IT project best practices,

lessons learned, and project leadership.

o Establish communities of interest to share IT project methodologies and expertise,

and share best practices.

o Ensure the IT community has access to experienced project management staff and

consulting services.

o Provide expertise and training for the successful completion of all phases of the

project lifecycle from concept to completion.

o Expand partnerships with the public and private sectors to deliver educational

conferences based on technology trends and best practices.

o Foster support of on-the-job training for legacy technologies no longer taught in

the universities (e.g., mainframe).

• Recognize success and excellent service by state employees and departments in order to

foster a sense of accomplishment and accountability for the state’s workforce

o Recognize state IT staff for their achievements at the quarterly agency information

and chief information officer meetings and at conferences.

4

o Ensure state entities are informed of opportunities that recognize the good work

that is completed in California which include the National Association of State

Chief Information Officers (NASCIO), Best of California, etc.

CO, Strategy for Information Security and Risk Management, 2016-2018 (4 Goals, 18

Strategic Initiatives)

• Protect state information and information systems to assure that the confidentiality,

integrity, and availability of all information is commensurate with mission needs,

information value, and associated threats.

o Design, build, and operate resilient and self-healing systems and networks that are

capable of resisting current and emerging cybersecurity threats

o Recruit, develop, and retain a motivated, professional, and knowledgeable

information security workforce

o Design, build, and operate the necessary tools, techniques, and procedures to

maintain “24/7” information security situational awareness of all state networks,

systems, and data

o Develop and maintain information security policies, standards, and guidelines that

are relevant, adaptable, and cost-effective

o Promote the understanding and acceptance of information security concepts and

practices throughout state government.

o Equip state information technology professionals with the tools, knowledge, and

skills to design, build, and operate secure applications and systems

o Develop, document, and socialize an information security architecture that (1)

aligns with the technology strategy, (2) transparently integrates security processes

into next-generation state networks and systems, and (3) anticipates and addresses

future threats

o Develop and maintain a statewide incident response and computer forensic

capability that is able to (1) quickly identify and isolate security incidents, (2)

recover impacted systems and business processes, and (3) when feasible, identify

and prosecute those attacking state systems

o Develop, document, and implement a standardized risk management framework

for accurately and uniformly assessing and managing the risk to the confidentiality,

integrity, and availability of state systems and networks

• Research, develop, and employ innovative and sustainable information security solutions

to address Colorado’s cyber security challenges.

o Actively leverage federal government, private sector, academic research, and

development of advanced cyber security tools and capabilities to assure the

confidentiality, integrity, and availability of state systems and data

o Rapidly evaluate, build, and deploy cutting-edge information security technologies

to outpace emerging threats

o Identify, evaluate, and share information on the threats and vulnerabilities

impacting state government to support future research and development efforts

• Develop and foster key partnerships to improve information sharing, reduce information

security risks, and to promote innovation and collaboration.

o Develop and formalize new partnerships with academic institutions, the private

sector, and Colorado’s state and local governments to share information security

threat intelligence, research and development efforts, and best practices

o Maintain active participation with the relevant organizations such as the National

Association of State Chief Information Officers’ (NASCIO) Privacy and Security

Committee, Multi-State Information Sharing Analysis Center (MS-ISAC), and the

SANS Institute

5

o Promote discussions and cooperative engagements that will enhance cyber security

for all Colorado residents including partnering with the department of public safety

in achieving the cyber security objectives of the division of homeland security and

emergency management strategy

• Comply with applicable information security and data privacy laws and regulations.

o Continuously assess and evaluate state systems and networks

o Conduct targeted, technical audits to identify and correct non-compliance with

state information security policies and applicable federal laws and regulations

o Partner with executive branch agencies to assist them in preparing for and

responding to information security-related audits.

DE, Statewide Information Technology Strategic Plan, 2016-20149 (1 Objective, 4 Focuses,

10 Strategies)

• Reliable, Secure, and Resilient Services

o Establish the Delaware Cyber Security Advisory Council

▪ Develop best practices to mitigate cyber security risks

▪ Improve overall security posture across all sectors in Delaware

▪ Increase information sharing between all sectors in Delaware

o Promulgate the Delaware Emergency Operations Plan

▪ Establish disruption response plans for all agencies supported through

centralization

▪ Conduct drills to test, evaluate, and modify plans annually

o Improve the overall security posture

▪ Provide backup and recovery of critical system

▪ Provide fail over services for mission critical services

▪ Provide planning, testing, and readiness assessments

▪ Provide enterprise network security monitoring and vulnerability scanning

o Deliver education and awareness

▪ Improve existing and develop new internal and external programs

FL, 2015-2018 Statewide Strategic Information Technology Security Plan (3 Strategies, 7

Objectives)

• Enhance security and privacy capabilities

o Implement a cybersecurity framework

o Improve situational awareness

o Develop a robust enterprise security incident response program

• Enhance the enterprise IT environment

o Invest in core enterprise enhancement

o Develop and implement application rationalization process

• Define the roadmap for maturing IT processes and strategic business alignment

o Strengthen project assurance and ensure project oversight

o Coordinate multi-agency enterprise initiatives

IA, Cybersecurity Strategy, 2016 (9 Goals, 31 Recommendations)

• Protecting lifeline critical infrastructure: Address high risk cybersecurity areas for the

state’s critical infrastructure and develop plans to better identify, protect, detect, respond,

and recover from significant cyber incidents.

o Implement the National Cybersecurity Framework to create a baseline for

measuring cybersecurity risk and assessing progress in lifeline critical

infrastructure services and state government.

6

o Formalize the cybersecurity incident response plan and necessary agreements and

processes for collaboration between state agencies, and regularly exercise the plan

o Continue forging partnerships with lifeline critical infrastructure sectors to ensure

the resiliency of digital systems. Promote and facilitate joint training and exercise

scenarios

o Promote additional public and private assessment processes such as the HSEMD/

US-DHS Critical Infrastructure IP Gateway Survey Program and the utilities board

cyber reviews

o Leverage state resources, such as the Iowa Communications Network pursuant to

IAC 8D.9 (3) to test, secure and protect critical communication infrastructure

• Risk Assessment: Establish a process to regularly assess cybersecurity infrastructure and

activities within the State.

o Report annually to the governor’s office and legislature on the current state of

cybersecurity risk, COOP/COG, and IT disaster recovery readiness for the

executive branch

o Assemble a working group of public and private subject matter experts to evaluate

the current risk assessment process and make specific recommendations for

improving the overall process.

o Improve accountability and transparency of state government’s cybersecurity

posture by creating a cybersecurity risk assessment report card.

• Best Practices: Provide recommendations related to securing networks, systems, and data,

including interoperability, standardized plans and procedures, and evolving threats and best

practices to prevent the unauthorized access, theft, alteration, and destructions of data held

by the State of Iowa.

o Fully implement the CIS-CS Controls for Effective Cyber Defense

o Leverage the findings from the 2016 Executive Branch Cybersecurity Survey and

create an operational plan, timeline and budget which addresses gaps and

prioritizes remediation within the CIS-CS and National Cybersecurity Security

Framework

o Reduce duplicative security products and initiatives and consolidate resources and

solutions under the OCIO

• Awareness Training: Implement cybersecurity awareness training for state government

o Require general cybersecurity awareness training for all State of Iowa employees

and additional specialized cybersecurity awareness training for employees with

privileged access. Conduct regular testing to measure the overall effectiveness of

the training.

o Further educate the state’s leadership on cybersecurity risk and their roles and

responsibilities

o Create a cybersecurity training environment to facilitate cross agency training

• Public Education and Communication: Identify opportunities to educate the public on ways

to prevent cybersecurity attacks and protect the public’s personal information

o Institute a public cybersecurity awareness and literacy campaign to improve the

cybersecurity awareness of Iowans and promote good cyber hygiene

o Facilitate and sponsor an annual public and private cybersecurity conference

o Provide cybersecurity awareness and literacy curricula and support materials for

K-12 and college students

• Collaboration: Collaborate with the private sector and educational institutions to

implement cybersecurity best practices.

o Improve and enhance current partnerships with educational institutions to identify

cybersecurity best practices through internships and faculty expertise

7

o Conduct cybersecurity training exercises across Executive Branch agencies and

lifeline critical infrastructure sector partners

o Identify, create, review and update legal agreements between collaborative

partners to improve information sharing, preparedness and incident response

o Expand private sector partnership programs to promote the sharing of criminal and

cyber-threat information affecting the private sector in Iowa

• STEM: Recommend science, technology, engineering, and math (STEM) educational and

training programs for K-12 and higher educational programs in order to foster an improved

cybersecurity workforce pipeline

o Incentivize students to pursue careers in cybersecurity through the creation of

scholarship programs modeled after programs such as the Federal Cyber Corps;

Scholarship for Service program, the AmeriCorps Model, the Military GI Bill, and

others

o Provide and encourage pathways to cybersecurity careers from K-12 through

higher education

o Conduct a review of the cybersecurity workforce requirements for the executive

branch and recommend necessary adjustments

• Data Breach: Establish data breach reporting and notification requirements

o Work with the attorney general to introduce changes to Iowa’s Code Chapter 715C

which would facilitate greater insight into the security breaches occurring in the

state and better protect the personal information of the citizens of Iowa

o Participate in initiatives designed to standardize data breach notification

requirements at a national level to aid in the protection of citizen privacy and

establish consolidated standards and reporting.

o Track and report the data breach impact to citizens of Iowa and Iowa businesses

• Emergency Response Plan – Cyber Annex: The homeland security and emergency

management department shall update the state’s emergency response plan to deal with the

physical consequences of a significant cyberattack against the State’s critical infrastructure

o Develop a strategic direction on how the state prepares and responds when cyber-

incidents involving lifeline critical infrastructure or state government escalate to a

level of significance requiring a coordinated response from a state and/or HSEMD

perspective

o Define a process to manage significant cyber incidents and provide a basis for

continuing refinement of our processes and policies that address the path from

steady-state to incident response

o Formalize the cyber annex of the emergency response plan and the cyber incident

response plan with required reviews and updates every two years

o Exercise the cyber annex as part of the emergency response plan and the cyber

incident response plan

ID, State Government Technology Strategic Plan, 2016 (2 Goals, 2 Objectives, and 8

Strategies)

• Manage IT and information from the perspective of state government as a whole

o To provide infrastructure and managed services for data, voice and video that are

secure and available, properly scaled and distributed with universal connectivity

throughout the state in a cost-effective manner.

▪ Confirm completion of 2014 objectives

▪ Assess network for: cloud performance issues, network redundancy,

segmented networks, review network security, and develop user standards

▪ Define benefits of the investment

8

▪ Long-term network contract

• Safeguard the security, confidentiality, integrity and availability of information

o To implement cybersecurity best practices in order to help manage cybersecurity

risk and maintain the integrity of state information.

▪ Adopt NIST framework

▪ Training for all employees

▪ Metrics to show vulnerabilities and progress

▪ Document benefits to the governor for funding.

KY, The Commonwealth Office of Technology Strategic Plan, 2014-2018 (2 Objectives, 9

Strategies)

• To enhance and continually improve IT security

o Implement appropriate security policies based on NIST

o Formalize the annual commonwealth cyber security exercise and incorporate

lessons learned and recommendations from each exercise into the lessons learned

and recommendations from each exercise into the appropriate polices, standards,

and procedures

o Constantly evaluate and enhance security toolsets and services

o Conduct a review of compliance with the roadmap for enterprise security and

provide guidance to agencies

o Review, update, and continue implementing the roadmap for enterprise security

• To raise awareness of the significance of security threats and vulnerabilities

o Assess agencies based on security awareness and make results available to agency

leaders

o Create and distribute a series of quarterly security reports to agency leadership and

the governor’s cabinet

o Complete, track, and evaluate effectiveness of COT’s internal security awareness

training

o Evaluate annual security awareness initiative to increase business unit

participation

MA, State Homeland Security Strategy, 2014 (1 Goal, 1 Objective, 6 Strategies)

• Protect the commonwealth from intentional acts of violence and terrorism

o Enhance the security of cyber systems by protecting against damage to,

unauthorized use of, and/or the exploitation of electronic communications systems

and services

▪ Develop specific cyber disruption plans

▪ Assess cyber disruption threat across the commonwealth

▪ Enhance training with emphasis on cyber systems and disruption

▪ Promote private/public partnerships around cybersecurity and disruption

▪ Continue to evaluate cyber‐related risk, vulnerability, and capability

assessments for high priority buildings, systems and technical capabilities

across the commonwealth

▪ Harden access control of publicly owned network and infrastructure.

MA, Office of Information Technology Strategic Priorities, 2017 (1 Priority, 3 Objectives)

• Security: Better protect information entrusted to us, while providing appropriate access

o Strengthen security governance and clarify roles and responsibilities

o Shift focus from compliance and documentation to action and responsiveness

o Improve visibility and intelligence into ever-increasing risks and threats

9

MD, Statewide IT Master Plan, 2017 (1 Objective, 5 Strategies)

• Cybersecurity Policies and Programs

o Establishing a governance and authority structure for cybersecurity;

o Conducting risk assessments and allocating resources accordingly;

o Implementing continuous vulnerability assessments and threat mitigation

practices;

o Complying with current security methodologies and business disciplines in

cybersecurity;

o Creating a culture of risk awareness.

Maryland Governor’s Office of Homeland Security Initiatives and Priorities (1 Objective, 4

Goals, 11 strategies)

• Core Goal 6: Cyber Security and Critical Infrastructure Protection

o All state government computer networks and systems should be protected from

cyber attacks and regularly tested for security and safety

▪ Coordinate individual state agency network protection plans so that each

agency meets a minimum protection standard, addresses physical and

electronic assets, and includes an annual security self-audit.

▪ Lead regular training for state agency CIOs and develop network safety

and provide security training materials for the state’s workforce.

▪ Collect reports of cyber attacks or incidents against state agency networks

and create a process to share information with the appropriate IT and

public safety stakeholders in a timely manner.

▪ Conduct random data security compliance assessments for selected

agencies throughout the year and, where applicable, include the results of

such assessments in agency self-audit reports.

o Critical private sector entities including utilities should be included in cyber

security planning, training, and exercising

▪ Identify private sector networks critical to the operations of the state’s

information technology infrastructure and share and implement cyber

security solutions including both technological solutions and training and

education of personnel.

▪ Share alerts and notifications of potential cyber threats with trusted private

sector partners

o Maryland should be able to effectively respond to cyber incidents involving public

and private networks that affect the well-being of Maryland residents, businesses,

and the ability of the state to provide essential government services

▪ Develop a cyber incident response plan to coordinate federal, state, local,

and private sector activities and manage the risks associated with an attack

or malfunction of critical information technology systems within the State.

▪ Ensure all state agencies’ continuity of operations (COOP) plans include

alternate methods of business operations for systems that may be affected

by a cyber incident

o Maryland should have a complete and prioritized inventory of critical

infrastructure, including assets controlled by the private sector, and a system for

securing high-priority targets or populations of interest.

▪ Develop a single, shared database of critical infrastructure, map all

qualifying assets, and overlay suspicious activity reports (SARs) to identify patterns and proximity to critical infrastructure.

10

▪ Create a platform to disseminate alerts and notifications regarding threat

intelligence and emergency incidents to critical infrastructure owners and

operators.

▪ Prioritize critical infrastructure assets and conduct on-site physical

security assessments at high-risk facilities and sites.

MI, Cyber Initiative, 2015 (3 Objectives, 26 Strategies)

• Leadership, Prevention, Detection, Response

o Further develop partnerships within the cybersecurity ecosystem to take the cyber

disruption plan to the next level, including establishing the cyber defense response

team to support state government and key stakeholders in the state during and after

a cyber event

o Conduct annual cybersecurity exercises to further prepare state governments and

private entities to respond in the event of a cyber disruption

o Continue to update the foundational elements of cybersecurity in the state to adhere

to the NIST Cybersecurity Framework

o Move closer to full implementation of a cybersecurity architecture based on the

zero-trust security model

o Transition from a compliance-centric approach to cybersecurity to a risk-based

approach

o Partner with leading cybersecurity experts to develop a practical cyber risk model

o Work with public and private organizations to develop draft legislation to allow

for this necessary information sharing that can serve as a model for other states

• Education and Public Awareness

o Continue to offer leading edge training and awareness programs, enhance the

Michigan Cyber Range to include more sites and courses, and offer exciting cyber

summits and roadshows around the state

o Expand education efforts to target P-20 students with online and classroom training

o Hold town hall meetings with intermediate school districts throughout the state to

offer support to enhance cybersecurity awareness programs in schools

o Follow the National Initiative for Cybersecurity Education Framework

o Continue the deployment of Michigan Cyber Range extension sites at National

Guard bases

o Roll out a free IT security assessment tool, CySAFE, to help small and mid-sized

governments assess, understand, and prioritize their basic IT security needs

o With our public and private partners, develop cyber-threat warning levels that

provide the public with threat awareness information in real time

• Michigan’s Unique Cyber Industry Opportunity

o Encourage public and private collaborations to utilize the DHS cybersecurity

competency framework

o Work with academia and industry to determine new workforce requirements from

emerging technology and threats

o Promote the Michigan Cyber Range as a valuable resource to enable industry and

IT specialists to develop advanced cybersecurity skills and certifications

o Encourage the improvement and advancement of cybersecurity occupational

certification programs

o Establish a baseline for cybersecurity professionals across multiple industry

sectors

o Encourage the establishment of a professional organization to provide education,

training and networking opportunities

11

o Promote employment opportunities and feature employers through talent

information newsletters

o Work closely with employers to match talent to their needs

o Promote cybersecurity careers to high school students, connecting them to post-

secondary training programs

o Expand existing international, regional and local economic development

partnerships

o Facilitate the convergence of cybersecurity with key industries

o Facilitate the launch of industry specific “Cybersecurity Technology Innovation

Challenges”

MN, Master Plan, Information and Telecommunications, 2012-2017 (4 Strategies, 14

Objectives)

• Continue developing core enterprise security program functions that will help proactively

manage information security risk

o Continue movement towards an enterprise security model that coordinates all

planning, oversight, and response activities through a single program.

o Adopt processes to design appropriate security controls in new systems or systems

that are undergoing substantial redesign.

o Provide employees at all levels with relevant security information and training to

lessen the number of security incidents

o Build a compliance program to validate that information security controls are

functioning as intended

o Improve boundary defenses by installing a zoned security model that separates and

controls access to different networks with different threat levels.

o Adopt a hardened security defense model for computers that routinely interact with

untrusted devices on the internet or may be prone to loss or theft

o Develop central processes and tools to manage physical and logical access to state

computer systems and data more efficiently and effectively

• Continue developing enterprise-wide information security processes and tools to improve

situational awareness

o Gain better situational awareness through continuous monitoring of networks and

other IT assets for signs of attack, anomalies, and inappropriate activities.

o Continuously identify and remediate vulnerabilities in state computer systems

before they can be exploited.

• Continue developing shared processes to minimize the impact of adverse security events

o Increase emphasis on business continuity planning and disaster recovery testing

across all agencies and all systems

o Provide centralized security incident response and forensic investigation services

to determine the cause, scope, and impact of incidents and limit damage.

• Minimize risk and maximize redundancy in major systems and facilities

o Reset and accelerate data center virtualization and consolidation to achieve an

acceptable risk level for the data and systems that manage state operations; partner

with other state government entities to develop and leverage shared data center

strategies

o Encourage adoption of the state’s high-security network, communications and

collaboration tools among all branches of state and local government to increase

security inter-government communications and interoperability.

MS, Strategic Master Plan for Information Technology, 2016-2018 (1 Strategy, 10 Actions)

12

• Provide, protect, and support enterprise technology infrastructure components to

strengthen the security posture of the state

o Align enterprise security policies, standards, plans, and other cybersecurity

documents with current security methodologies and industry standards, such as the

NIST Cybersecurity Framework

o Coordinate the state’s participation in Cyber Storm V

o Develop an enterprise incident response plan

o Research the cybersecurity insurance market for available coverage to mitigate

losses from a variety of cyber incidents

o Research secure web gateway solutions to enhance the ability to protect state assets

against attacks by detecting and filtering unwanted software and malicious code

from user initiated Internet traffic

o Research next-generation firewall technologies

o Research virtual private network (VPN) technologies

o Implement a managed security service log correlation solution

o Manage and enhance security vulnerability management tools and leverage

internal/external partners

o Perform, coordinate, and promote security education, awareness and cyber

exercises

MT, State Information Technology Services Division 2016 (1 Goal, 4 Objectives)

• Manage Cybersecurity Risk to Systems, Assets and Data

o Develop best practices for common security controls for all agencies to use

o Develop and implement a standardized information security program assessment

and measures for departments and the state

o Provide a yearly state information security assessment to the governor showing

program successes and a plan to address shortcomings

o Develop a governor’s information security dashboard

NC Planning and Financing State Information Technology Resources for the 2015-2017

Biennium (1 Goal, 4 Objectives, 10 Initiatives)

• Modernize and Secure IT Systems

o Standardize and improve office of information technology (OIT) service deliver

▪ Conduct a comprehensive service assessment

▪ Develop a new service catalog

o Enhance the agility of our infrastructure

▪ Improve cloud computing capability

▪ Modernize the network

▪ Increase infrastructure efficiency

o Improve communication and collaboration capabilities

▪ Develop a unified communications strategy

▪ Fully implement and leverage office 365

▪ Develop a content management strategy

o Manage IT risks and access

▪ Modernize identity and access management

▪ Conduct end user threat training

▪ Enable network assurance

13

TX, 2016-2020 State Strategic Plan for Information Resources Management (2 Goals, 6

Objectives)

• Secure and protect government and citizen information

o Implement policies and standards aligned with the state’s cybersecurity framework

o Develop and adhere to a software currency policy

o Increase employee cybersecurity training and awareness

• Prepare for continued government operations during and after an emergency

o Test and improve business COOP

o Consider cloud infrastructure to improve business continuity

o Implement teleworking to improve COOP

VA, Strategic Plan for IT, 2012-2018 (1 Goal, 6 Strategies)

• Implement technologies, practices, and monitoring to protect commonwealth data and

infrastructure, reduce the commonwealth's attack surface area, maintain cyber security

situational awareness, effectively respond to cyber security attacks, identify and remediate

IT security risks, maintain a knowledgeable cyber security workforce, and maintain citizen

trust in the commonwealth's commitment to the securing of their personal information.

o Manage the IT risk management program for the commonwealth, including

implementation of a risk management portfolio tool

o Enhance the commonwealth's cyber security posture

o Continue to enhance the cyber security governance framework to include:

▪ Implementation of a method framework to ensure compliance with

security PSGs,

▪ Monitoring of commonwealth data and assets for threats and

vulnerabilities and remediation of any issues identified,

▪ Identification, mitigation, and management of IT security incidents,

▪ Development of cyber intelligence based on research of current cyber

trends as well as analysis of cyber data within the commonwealth, and

▪ Provision of cyber security data and information to commonwealth entities

and other partners of the commonwealth.

o Develop security governance requirements for commonwealth identity

management

o Deploy a single identity management system (CAS) for all public-facing state

government apps

o Provide adequate cyber security training and education for commonwealth leaders,

IT professionals, information security personnel, and commonwealth employees

VT, 5 Year Strategic Plan FY2016-2020 (1 Goal, 4 Objectives)

• Enhance information security

o Manage data commensurate with risk

o Maintain defense in depth

o Provide enhanced security awareness

WV, Information Cyber Security Strategic Plan (2015) (15 Goals, 65 Policy Initiatives)

• Security Policy Development

o Periodically update the existing executive branch security policies and procedures

o Create additional policies and procedures as needed

o Review agency information/cyber security policies

o Maintain copies of all adopted policies online for web access

14

o Develop an effective awareness training strategy for policies, and implement this

strategy

o Maintain policies that address the expectations held for employees with critical

technical roles

• Privacy Partnership

o Provide security expertise to the privacy management team and state privacy

officer and staff

o Collaborate with the chief privacy officer on security and privacy concerns

o Collaborate with the privacy office to achieve compliance with privacy mandates,

laws, and best practices

• Risk Management

o Review and update documentation of system characterizations

o Identify existing relevant threats and vulnerabilities

o Document existing controls in place, or available, to reduce risk

o Determine likelihood and impact of adverse event

o Create a qualitative risk matrix: high, medium, and low

o Conduct a cost-benefit analysis on prospective risk reduction options

o Select a risk mitigation strategy based upon risk, cost-benefit analysis, and

available resources

o Recommend changes in controls/countermeasures. Work toward selection and

commitment

o Complete selected mitigation activities.

o Create risk memoranda to identify residual/acceptable risk after

controls/countermeasures

o Monitor system for changes and repeat process at appropriate intervals

• Business Continuity Plan

o Support activity of agency data and system classification

o Support/validate meaningful alignment between business continuity and disaster

recovery plans

o Support/require periodic testing of business continuity plans, in conjunction with

the associated disaster recovery plan

• Disaster Recovery Plans

o Where agency agreements exist, verify that disaster recovery plans are completed

for each critical business function, and aligned with the associated business

continuity plan

o Where agency agreements exist, verify that the plan for adequate periodic testing

and validation of disaster recovery plans is completed and documented

• Security Operations Center

o Maintain the full functionality needed in the SOC

o Maintain 24x7x365 security surveillance of network traffic and system events for

all critical infrastructure components combining threat analysis and alerts to State

technicians when any anomalies are detected, correlated

o Maintain comprehensive WEB activity monitoring and selective site blocking

based upon customer requirements

o Develop a state-of-the art situational watch room, combining analyst,

management, and executive-level dashboards

o Focus upon the insider threat, and network violation management through the use

of effective policy monitoring, reporting and agency enforcement

o Maintain and support the analysis of cyber-security counter-intelligence

• Training and Culture

15

o Provide all executive branch employees with security awareness training, annually

o Establish a process to audit for, and assure, completion of training by all

employees, with proper documentation of training history

o Establish minimum training standards, and assist with curriculum development

that addresses the unique and/or elevated responsibilities and requirement for

expertise, commensurate with the role

o Offer WEB-based information/cyber security awareness training to local

governments and other State partners

o Conduct an annual “October is Cyber and Information/Cyber Security Awareness

Month” event

o Periodically introduce new or enhanced training to keep the message “fresh and

effective.”

• Information/Cyber Security Management Emphasis

o Maintain an informed and engaged GEIST through quarterly meetings, ad hoc

communications, information/cyber advisories, and special meetings, as needed

o Elevate the visibility of the information security initiatives and the GEIST in

organizational units throughout the state government

o Periodically review the GEIST Charter for relevance and suitability

• Audit Program

o Conduct audits in agencies for compliance with executive branch IT policy

o Conduct audits of technical environments, with emphasis on the WVOT, for

compliance with policy and best practices

o Formal reporting of findings to appropriate management with recommendation for

corrective action to mitigate identified risk

o Conduct vulnerability scans, and oversee penetration testing as needed to verify

system “health.”

o Contract for 3rd party auditing services to augment internal audit resources or to

perform specialized audit services.

o Review 3rd party provider agreements and services, including at off-site locations,

to ensure adequate security controls

• Certification and Accreditation (C&A)

o Identify responsibility and resources for the development of a C&A program

o Establish the framework (processes, practices, and procedures) for C&A,

collaborating within the office of technology, and between the WVOT and its State

agency partners

o Define C&A criteria and scope, meaning: what kinds of technologies must undergo

C&A before being moved into production, and what are the standards that must be

met for each technology

o Plan, develop and deliver C&A training to all affected individuals, to unify

understanding of the process, and understanding about how to approach product

and service rollouts within the C&A framework.

o Map C&A activities to the technology, and project-management life-cycle

• Incident Management and Computer Forensics

o Maintain a computer security incident response team (CSIRT)

o Maintain adequate forensics skills to accomplish needed investigations

• Staffing Levels and Team Development

o Maintain a job classification series that closely describes required expertise, and

the work, of an information/cyber security professional

o Train and cross-train staff to a multi-disciplinary model as much as possible.

• Funding

16

o Establish an adequate per seat per user fee for security services that will fund a

fully functional information/cyber security controls and compliance program as

described in this document

• Information/Cyber Security Metrics

o Work with a representation of partners to develop a set of metrics to be identified

and tracked

o Determine how to derive the metric, and most efficiently capture and report the

metric at the specified interval

o Automate the metrics reporting function wherever possible

o Continue to evaluate the effectiveness of the metrics strategy

• Outreach

o Share expertise, assistance, and training materials with other public sector

organizations

o Promote discussions that will enhance the security work of all public sector

partners in state government

o Maintain active participation with the Multi State – Information Sharing Analysis

Center and other groups whose reach is beyond the governor’s executive branch

o Maintain active participation in the National Association of State CIOs (NASCIO)

Privacy and Security workgroup, and other relevant organizations

o Maintain a working relationship with legislative commission on special

investigations

WI, Statewide Strategic IT Plan, 2014 (2 Goals, 4 Objectives)

• Optimize Infrastructure and secure information with a focus on:

o Security; and

o Disaster Recovery/COOP

WI Cyber Disruption Response Strategy, 2015 (5 goals, 20 objective’s) (Not Publicly

Available)